Crime Policies and Computer Fraud Coverage

Posted by Gene Killian on August 31, 2012

Can a first-party insurance policy ever provide coverage for third-party loss?  Well…that depends on what the policy actually says, which goes back to the first rule of all coverage work:  Read The Policy.  (Corollary rule:  Assumptions Are The Mother of All Foulups.)

Here are the facts from a very recent case decided by the U.S. Court of Appeals for the Sixth Circuit on this topic.  DSW operates shoe stores.  Hackers used the local wireless network at one DSW store to get unauthorized access to the DSW computer system and download credit card information for 1.4 million DSW customers at 108 stores.  A slew of fraudulent transactions followed.

Following the data breach, DSW incurred substantial expenses for customer communications, public relations, customer claims and lawsuits, and attorneys’ fees in connection with investigations by seven state Attorneys General and the FTC.  DSW eventually entered into a consent order with the FTC requiring DSW to shore up its security system.  The biggest hit taken by DSW, though – roughly $4 million – arose from the compromised credit card information: costs associated with chargebacks, card reissuance, account monitoring, and fines imposed by VISA/MasterCard.  DSW’s total loss was about $6.8 million.

National Union had sold DSW a Blanket Crime Policy.  The policy provided coverage for “Loss which the Insured shall sustain resulting directly from…The theft of any Insured property by Computer Fraud.”

The Policy defined “Computer Fraud” as “the wrongful conversion of assets under the direct or indirect control of a Computer System by means of (1) The fraudulent accessing of such Computer System; (2) The insertion of fraudulent data or instructions into such Computer System; or (3) The fraudulent alteration of data, programs or routines in such Computer System.”

But, the Policy excluded the costs of defending lawsuits, “except as may be specifically stated to the contrary.”

National Union argued that, given the exclusion for defending suits, the policy was essentially a Fidelity Bond providing only first-party coverage, and that losses associated with third-party claims (such as those made by the FTC and customers) were not included within the insuring agreement.

But the Court wrote that “the label given to a policy is not determinative of coverage,” and focused on the coverage grant.  “Loss” is a broad term. What did it mean that a covered “Loss” must “result directly from the theft”?  National Union argued that the “resulting directly from” language required that the theft of property by computer fraud be the “sole” and “immediate” cause of the policyholder’s loss.  The Court, however, found that the language was ambiguous, writing:  “We find that the phrase ‘resulting directly from’ does not unambiguously limit coverage to loss resulting ‘solely’ or ‘immediately’ from the theft itself.”  In other words, “proximate” cause of a loss was all that was needed...and that was enough to encompass the costs of dealing with the third party claims, taking them out of the exclusion for defending suits and claims.  There was no question that DSW had suffered a “financial loss,” even if part of that loss was attorneys’ fees, and there was a “sufficient link” between “the computer hacker’s infiltration of [DSW’s] computer system” and the financial loss. 

National Union also pointed to an exclusion in the policy reading:  “Coverage does not apply to any loss of proprietary information, Trade Secrets, Confidential Processing Methods, or other confidential information of any kind.”  The Court held that this exclusion did not apply.  Basically, the Court found that the exclusion was meant to apply to the policyholder’s information, used in the policyholder’s business, which gives the policyholder the “opportunity to obtain advantage over competitors who do not know or use the information.”  Here, the information belonged to customers, and not really to DSW.

Given the exclusion for defending claims, insurance company folks may argue that this case is an example of a Court bending over backwards to find coverage where none really exists. But I think that, in a way, this case represents the flipside of bad faith.  If a claim is “fairly debatable,” then the insurance company can’t be held liable for bad faith in refusing to cover it.  But…if the application of policy language is “fairly debatable,” then the policyholder should (and usually does) get the benefit of the doubt as to whether coverage exists.  After all, the carrier writes the policies, and the carrier has to deal with the consequences if the language is not 100% clear.        

Fidelity insurance and Ponzi schemes

Posted by Gene Killian on March 19, 2012

Spring is a time of rebirth and hope, especially for baseball fans.  No matter how badly your team played last year, when March rolls around, you’re tied for first!  That is, unless (like me) you’re a fan of the woeful New York Mets.  After just a few weeks of spring training, their third baseman already has a rib injury; their first baseman (who missed most of last year after spraining his ankle by tripping over his own feet) has come down with some sort of weird desert fever; and one of their key relief pitchers is out for at least six weeks with a torn meniscus.  Oh, I almost forgot, their All-Star shortstop now plays for someone else.  

Can it get any worse?  When it comes to the Mets, yes, of course it can! There’s the little matter of Bernie Madoff.  Mets ownership has now been ordered to return $83 million to Madoff’s victims. 

Leaving the Mets and my baseball misery to one side, the Madoff situation in general has given rise to some interesting insurance coverage questions.  Recently, in Jacobson Family Investments v. National Union, a New York state court judge rejected efforts by carriers to lump named insureds together for the purpose of showing that on the whole, they were “net winners” in the Madoff fraud and therefore not entitled to insurance recovery for their losses from the Ponzi scheme.  The case involved a fidelity-type bond or policy, in part covering damages caused by “outside investment advisors.”  

The plaintiff-policyholders were investment vehicles set up by the heirs to the founders of industrial equipment supplier MSC Industrial Direct Co. Inc. and affiliated with Jacobson Family Investments, Inc.  The carriers argued that, because the investment vehicles were all listed in the policy under the heading “Complete Named Insured,” they were in essence one policyholder, and their net wins and losses had to be aggregated.  Because the aggregate amount of all of the policyholders’ net account balances with Madoff actually made them a “net” equity winner (together, they had withdrawn $5.9 million more than they invested with Madoff), the argument was that there was no compensable loss for insurance purposes.  

Based upon the clear terms of the policy, the judge wasn’t buying it.  The Court stated that the named insured rider “does not provide that [the] entities’ net wins and losses should be aggregated…it is [simply] an informational declaration of all the entities and individuals who may draw from the bond.”  

The carriers also tried to rely upon the “Single Loss” provision of the policy, which states:  “Subject to the Aggregate Limit of Liability, the Underwriter’s liability for each Single Loss shall not exceed the applicable Single Loss Limit of Liability…If a Single Loss is covered under more than one Insuring Agreement or Coverage, the maximum payable shall not exceed the largest applicable Single Loss Limit of Liability.”  “Single Loss” was defined as “all covered loss” resulting from a fraud.  Therefore, the carriers again argued, all of the policyholders’ wins and losses had to be aggregated to determine whether there was a compensable “Single Loss.”  

Again, the Court wasn’t buying.  First, the Court held that the purpose of the “Single Loss” provision was simply “to limit [the primary carrier’s] liability, under the Bond, for separate acts of malfeasance,” not to require aggregation of wins and losses.  Second, the Court held that a “Single Loss” was defined as “all covered losses, not all covered net losses.”  The Court stated:  “Courts should be extremely reluctant to interpret an agreement as impliedly stating something which the parties have neglected to specifically include.”  

Finally, the carriers cited a “Joint Insured Provision” in an effort to support the argument that all of the named insureds’ wins and loses had to be aggregated together.  The “Joint Insured Provision” states, in part:  “If two or more Insureds are covered under this bond, the first named Insured shall act for all Insureds.  Payment by the Underwriter to the first named Insured of loss sustained by any Insured shall fully release the Underwriter on the account of such loss…The liability of the Underwriter for loss or losses sustained by all Insureds shall not exceed the amount for which the underwriter would have been liable had all such loss or losses been sustained by one Insured.”  

The Court shot that argument down as well, writing:  “It is clear from the cited language that the main purpose of this Provision was to create an organized procedure to make claims under the Bond.  There are over 160 entities or individuals covered under this Bond…and if each entity had a claim…the insurance company would be processing significant amounts of paperwork.  Assigning one of the Insureds the power to act for others covered under the Bond resolves this issue.”  

This decision shows that, even in cases involving so-called “sophisticated” policyholders, some Courts will still apply strict rules of construction against carriers.  Interestingly, at no point did the Court say that the policy was ambiguous.  Rather, the Court essentially said that the carriers were attempting to engraft terms upon the policy that did not actually exist.  This is known in our business as “post-loss underwriting.”  

The excellent policyholder attorney Robin Cohen and her great team at Kasowitz Benson handled this case for the policyholders.